Академический Документы
Профессиональный Документы
Культура Документы
Mitigating Credential Theft PDF
Mitigating Credential Theft PDF
Pass-the-Hash
and Other
Credential Theft,
version 2
Trustworthy Computing
Trustworthy Computing 1
Legal disclaimer
This document is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION
IN THIS DOCUMENT.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
Contributors
Aaron Margosis Eric Leonard Michael Howard
Aaron Tebrink Eric Mitchell Michael Poole
Adam Stasiniewicz Eugene Siu Michael Scovetta
Al Tieman Georgeo Pulikkathara Michiko Short
Andrea Piazza Glenn Pittaway Nate Morin
Andrew Idell Graham Calladine Nathan Ide
Arden White Hasnat Naveed Nicholas DiCola
Bill Talbot James Noyce Patrick Arnold
Chris Betz Joe Corey Paul Cullimore
Chris Hale John Rodriguez Roger Grimes
Chris Jeuell John Wall Ted Daley
Cristin Goodwin Joshua Talbot Tom Stolk
Cynthia Sandvick Keith Proctor Tony Rice
Danielle Alyias Lesley Kipling Tony Ureche
Dario Brambilla Mark McIntyre Troy Arwine
David Cross Mark McRoy William Dixon
Dirk-Jan van der Vecht Mark Russinovich Yashar Bahman
Trustworthy Computing 3
Contents
Executive summary ���������� ������������������������������������������������������������������������������������������5
Matt Thomlinson
Vice President
Microsoft Security
Trustworthy Computing 5
Introduction
This white paper describes strategies and mitigations that are available
with the release of features in Windows 8.1 / Windows Server 2012 R2 to
address Pass-the-Hash (PtH) attacks. Prior knowledge of PtH attacks and
the previously published mitigations are expected. Additional background
information is provided in Mitigating Pass-the-Hash (PtH) Attacks and Other
Credential Theft Techniques.
The second half of the paper provides more information about the available
technical mitigations that support these strategies, including a brief overview
of the previous paper, key points about what has changed since its publication,
and features introduced with the release of Windows 8.1 and Windows Server
2012 R2 that help mitigate credential theft. In the “Sample scenarios” section,
the reader will find example cases, including helpdesk and administrative
support, to understand risks and what mitigations can be used.
Assume breach
Traditional security approaches focus on hardening the outermost network Assuming breach
perimeter in an effort to protect against a breach. But even the most stringent
requires a shift
perimeter protections can be bypassed by a legitimate user account that has
inadvertently been compromised or authorized personnel purposefully acting
in mindset from
in a malicious capacity. In the pervasive threat environment that exists today, prevention alone to
organizations need to assume this perimeter can be breached and protect key containment after
assets against internal as well as external threats. breach.
Assuming breach requires a shift in mindset from prevention alone to
containment after breach. One reason for this is that shared long-term
secrets (for example, privileged account passwords) are frequently used
to access anything from the lowest print server to the domain controller.
This represents a risk that transcends the technique or protocol being
currently used. To achieve the containment of attackers, rapid detection This level of
and remediation of initial breaches is required. This level of organizational organizational
responsiveness can only be attained through preparation. responsiveness can
In addition, most threat modeling efforts stop at the point where the only be attained
attacker gains administrative access, in effect declaring “game over.” In reality, through
organizations must continue to do business, respond to the attack, and plan preparation.
Problem Solved?
Effective Although Microsoft continues to improve strategies for detection and
mitigations require provide new features that enable customers to protect against these types
of attacks, the problem cannot be solved by implementing a single strategy
a holistic approach
or deploying a single feature. Credential theft attacks often leverage
addressing operational practices or user credential exposure, so effective mitigations
people, processes, require a holistic approach that addresses people, processes, and
and technology. technology. Also, these attacks rely on stealing credentials after a system
compromise to expand or persist access, so organizations need to ensure
that breaches are contained rapidly by implementing strategies that prevent
attackers from moving freely and undetected in a compromised network.
Realistically, mitigations increase the effort that a determined attacker
needs to apply to remain inconspicuous. When an effective program is
implemented, attackers may find too many barriers and trigger detection
mechanisms that could help organizations stop the attack.
Trustworthy Computing 7
Plan for compromise
Technical features and capabilities alone will not prevent PtH and other
credential theft attacks because the attack surface is primarily shaped by
operational practices. Therefore, Microsoft encourages its customers to
create a comprehensive plan using the security strategies and Windows
features prior to deploying a security architecture program. To create
resilience to PtH and related attacks, identify and investigate possible threats,
and recover from a compromise, customers are encouraged to consider the
following specific stages during architecture planning efforts. These stages
map to the functions in the National Institute of Standards and Technology
Framework for Improving Critical Infrastructure Cybersecurity.
Figure 1:
Security stages
The next section examines each of these stages to help with planning and design,
prior to deploying mitigations. We recommend here only an approach, along with
considerations for these areas that we believe are important.
Trustworthy Computing 9
Strategies
Identify all high-value assets
It is challenging to protect what is not known or understood. A critical first step should
be to identify and prioritize high-value IT and business assets. These may be assets that
provide access to multiple computers with or without administrative rights, or access
to sensitive data or resources, and may allow attackers to perform lateral movement or
privilege escalation. See “Prioritize high-value accounts and computers” for examples.
▪▪What are the assets we want access to (domain controller, certificate authority,
mail server, file server)?
▪▪ Who has access to those assets (who are the administrators on these servers)?
▪▪Where can we get access to those credentials (what servers can we compromise to
capture the credentials of a target user or administrator)?
They will start gathering as many credentials as possible, each stolen credential grows
the graph and helps them get closer to their goal. This process is repeated multiple
times until the target can be reached.
Figure 2:
Attack graph ELAPSED TIME:
GET CREDENTIALS
Malicious tactics such as social engineering Create a plann
8 HRS OR LESS
strategies and
and phishing schemes are used to trick
! personnel and obtain credentials for
network access. Most organizations do
ATTACKER not recognize when attackers are already
within the network and have access to STRATEGIES
information such as emails, confidential
documents and other intellectual property. • Identify all high value assets
• Protect against known and unk
• Detect PtH and related attac
• Respond to suspicious activ
• Recover from a breach
FEATURES D
GET CONTROL
ELAPSED TIME: Protected Users security T
48 HRS OR LESS The ultimate goal of the attackers may be group t
to gain access to the domain controllers, m
the central clearing hub for all credentials
and identities. Once compromised, an
attacker has complete control over an Authentication Policy and N
entire organization. All assets, intellectual Authentication Policy Silos a
property, physical property, and personal
information are in jeopardy.
LSA protection A
p
S
t
In many cases, an attack graph will look different from normal usage patterns.
This is because the attacker may not care about the legitimate access pattern,
only what can be accessed by using a compromised account or resource.
Since the attacker’s first step is to understand the target, so too must
defenders take a similar approach. By identifying both legitimate and
possible unauthorized access patterns, organizations are better able to
effectively tailor the strategies described in this paper.
Trustworthy Computing 11
Prioritize high-value accounts and computers
A good place to start when identifying high-value assets is with the accounts and hosts
used in the administration of IT assets because these will be targeted by attackers to
escalate privileges. Other hosts and services may be targeted for sensitive information or
persons of interest. Some examples of targeted high-value accounts and hosts include:
• Domain Administrators
• Enterprise Administrators
• Schema Administrators
• Account Operators
• Backup Operators
• BUILTIN\Administrators
▪▪Accounts that are used to manage domain controllers. For example, if System
Center Operations Manager or System Center Configuration Manager runs on
domain controllers or any server that a domain administrator-equivalent account
logs on to, then Operations/Configuration Manager administrators are effectively
domain administrators.
Trustworthy Computing 13
Architect a credential theft defense
To create environments that are resilient to credential theft, defenders must
consider all aspects of credential use and storage. Organizations should
limit the availability of credentials throughout the following lifecycle as
they are used or stored, and ensure they are transmitted securely.
Figure 3:
Credentials use and
storage lifecycle
▪▪Credentials being used or cached for later use (on clients or servers)
▪▪Credentials in transit over network connections
▪▪Credentials stored on authoritative stores such as domain controllers and local
account databases on local computers
Because the focus of this white paper assumes a certain degree of account
compromise, the remainder of this section focuses on containment,
administrative practices, and supplemental general recommendations.
Figure 4:
Tier Model
Tier definition
The model is intended to prevent an escalation of privilege path for an
attacker using stolen credentials and is defined by the following rules:
Trustworthy Computing 15
currently logs on to multiple tiers will be split into multiple accounts, each
of which fits within only one tier definition. These accounts will also be
required to have different passwords.
Figure 5 visually depicts the logon restrictions for the tier model.
Figure 5:
Tier Model-
Administrative
logon restrictions
Trustworthy Computing 17
▪▪Implement network segmentation for client, server and domain isolation. For more
▪▪Implement a physically separated multi-factor authentication solution. See Azure
Multi-Factor Authentication for more information.
information...
see the “Other
Harden and restrict hosts for administrative purposes Enterprise Security
Any hosts on which administrators enter credentials or perform administrative tasks Solution” section in
are entrusted with the privileges associated with the account that is used, even if the Appendix
temporarily. The act of physically typing a password, smartcard PIN, or other verifier,
or connecting a physical authentication device grants the credentials’ permissions to
that computer. The risk of a system should be measured by the highest risk activity
that is performed on it, such as Internet browsing, sending and receiving email, or
the use of other applications that process unknown or untrusted content.
▪▪All hosts on which administrative actions are performed, including those that use
a standard user desktop running an RDP client to remotely administer servers
and applications.
▪▪Customers can use the Microsoft Security Compliance Manager (SCM) for
configuring the baselines on the administrative hosts.
USB restrictions to protect against physical infection vectors. See Control Read or
Write Access to Removable Devices or Media for more information.
Network isolation to protect against network attacks and inadvertent admin actions.
Host firewalls should block all incoming connections except those explicitly required
and block all outbound Internet access.
Exploit mitigations to mitigate against unknown threats and exploits. See the
Enhanced Mitigation Experience Toolkit (EMET).
▪▪Use of tools such as the Attack Surface Analyzer (ASA) will help assess configuration
settings on a host and identify attack vectors introduced by software or
configuration changes.
Some of these measures might seem extreme, but public revelations in recent
years have illustrated the significant capabilities that skilled adversaries possess to
compromise targets.
Trustworthy Computing 19
Ensure visibility and accountability of administrative practices
Administrative account usage is logged in Windows, but an organization may wish
to increase the visibility and control of how these accounts and privileges are used.
An organization can use an identity management tool such as Microsoft Forefront
Identity Manager (or Identity Manager) to provide managed access to privileged
groups through workflows. An organization may also use third-party tools to control
and review access to privileged accounts, several of which are described in the Best
Practices for Securing Active Directory white paper.
▪▪Watch and follow a sample set of users in their daily tasks to identify their important
and frequent duties, what aspects are security sensitive, and how to align security
and usability.
Detective controls are more effective on credential use because credential theft
detection relies on retrieving events from a compromised computer. An attacker
using stolen credentials may trigger suspicious events in a network while accessing
resources. Detecting this illicit credential use is possible, but requires separating
attacker activity from high volumes of legitimate events.
▪▪Unusual activity performed with the account (for example, settings changed and
authentication policy failures).
Trustworthy Computing 21
▪▪Modification of sensitive objects (for example, a change to the membership of
Domain Admins).
▪▪Mismatch between an account used for perimeter access, such as a virtual private
network (VPN), and the account used to access resources.
Data collection
Events to collect include the following:
Under ProtectedUserFailures-DomainController
Events generated when an account that is a member of the Protected Users
security group tries to use blocked authentication options.
• Event ID 106 – The user or device was not allowed to authenticate to the server.
• Event ID 305 – Kerberos TGT request did not meet access control restrictions.
• Event ID 306 – User, device or both do not meet the access control restrictions.
Detect LSA plug-ins and drivers that fail to run as a protected process
If audit mode is enabled for the Local Security Authority Subsystem (LSASS), an
event will be generated when Lsass.exe attempts to load an unauthorized driver. See
Configuring Additional LSA Protection on TechNet for details.
• Event ID 3066: This event records a code integrity check that determined that
a process (usually lsass.exe) attempted to load a particular driver that did not
meet the Microsoft signing level requirements. However, due to the system
policy that is set, the image was allowed to load.
Other events
Systems running applications to restrict software, monitor system changes,
antimalware, or other applications that may provide relevant information on PtH and
related attacks should also be collected and observed. Access logs for supporting
infrastructure, such as firewalls and VPNs, should be monitored. Organizations
should evaluate what other software and infrastructure events are relevant when
implementing a detection strategy. This information will be invaluable when
investigating attacks and successful breaches.
Organizations using Azure Active Directory (AAD) can also benefit from machine
learning and other geo-location detection of malicious activities for AAD cloud
accounts. See Azure Active Directory Identity and Access Management for the Cloud
for more information.
Trustworthy Computing 23
Manage event collection and alerts
Multiple options exist for centralized event log collection and management,
including the following.
▪▪Ifattack
a compromise has occurred, proceed to recovery plans and ensure that
vectors are properly addressed.
Investigate attacks
The most important part of developing an investigation strategy is to obtain
enough details about an attack to determine the scope of a breach. Adversaries
typically obtain a keychain of valid domain credentials in an attack and any
individual credential compromise could be a sign of a larger problem.
Note: For security and privacy reasons, Microsoft does not recommend
For more enabling this feature permanently. When this policy setting is enabled,
information... any user with read access to security events will be able to read the
command-line arguments for any successfully created process.
See Command Line Command-line arguments can contain sensitive or private information,
Auditing onMicrosoft such as passwords or user data.
TechNet.
This feature can be enabled for the machine or user by setting
Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\
ProcessCreationIncludeCmdLine_Enabled to 1 or through a policy change.
Figure 6:
Include command line
in process creation
events.
Trustworthy Computing 25
Recover from a breach
After a successful PtH attack, the highest priority should be to recover control over
the compromised assets. Unfortunately, the traditional disaster recovery approach of
restoring from a recent backup is often ineffective, because attacks are not typically
detected immediately. This section provides considerations for recovering accounts
and domain integrity when restoring from backup is not viable.
This paper does not discuss post-incident recovery or host recovery in depth.
Recover accounts
In the event of a compromise, action must be taken to recover the control of compromised
accounts. These practices are only effective if an organization has high confidence that the
domain has not been compromised.
The following recovery practices have limitations and should be carefully evaluated
before they are executed. It is also imperative that the root cause of a breach be
identified in order for the following recommendations to be effective and prevent
attackers from regaining access.
Methods:
▪▪Set passwords to require change at next logon. One benefit of this action is that other
types of credentials such as smartcards will be unusable until passwords are reset.
Note: Computer account passwords are used to prove the computer and the
domain controller identity to each other. These secrets may be used on attacks
that restrict access based on the machine account (for example authentication
policies). For more information, see Reset a Computer Account.
For more information, see Settings for default local accounts in Active Directory.
Considerations:
▪▪This is only effective against future authentications. Resources such as shares and
named pipes that were accessed with the compromised credentials will remain
available until the logon session that granted access is terminated.
▪▪Ifused
the host is offline during this practice, cached logon password verifiers can still be
locally.
▪▪The attacker can persist in the context of the user by using malware installed in the
user’s profile.
Disable an account and remove group memberships. The idea is to restrict or remove
the privileges associated with the compromised account.
Methods:
▪▪Disable the account in Active Directory Domain Services.
▪▪ Remove the account from Active Directory security groups and any local security groups.
Considerations:
▪▪This is only effective against future authentications.
▪▪When the security token is created, the group membership is hard-coded in the
token. Therefore, any process that is already running with that token will run with
the original permissions of the account even after the account is removed from the
security group.
▪▪ This action will likely inform the attacker that a breach has been detected.
Restore the integrity of the domain and forest
Because many existing implementations of Active Directory Domain Services have been
operating for years at risk of credential theft, organizations should assume breach and
consider the very real possibility that they may have an undetected compromise of
domain or enterprise administrator credentials. An organization that suspects domain
compromise should consider the use of professional incident response services.
Trustworthy Computing 27
requires planning because it can disrupt all authentication. See “Reset the
KRBTGT account” at the end of this section for more information
Prevent the same attack from working again. Adversaries typically use techniques
that were successful in the past and then move to other available techniques. The use
of backdoors and other attacks may also allow an attacker to regain access.
Ultimately, there are two valid approaches to achieve meaningful recovery of accounts
in large, complex environments:
▪▪Aemail
stealth operation that the adversary is unaware of. Adversaries frequently monitor
and other communications and are likely to modify their presence on a
network to defeat a cleanup operation.
▪▪Risk of coexistence. Organizations that are moving resources to a new environment will
frequently need the ability for users to connect with the compromised environment to
perform some job tasks until all resources and users are fully migrated. Organizations
must take care to ensure that any credentials that are exposed to the old environment
cannot be used to gain access to the new environment.
▪▪Planned end State. Organizations should consider the relative cost and benefit of the
options for the strategic recovery end state. These range from only recovering only
the current forest to separating business critical functions into a separate forest to
creating and migrating to a new forest (and many other variations). Organizations will
have to consider their options in light of many factors including the business value
Mitigations
This section discusses previously recommended mitigations, platform enhancements,
and features introduced since Windows 8.1 and 2012 R2. Readers are advised to review
this entire section prior to implementing mitigations.
Updates
The previously referenced white paper, Mitigating Pass-the-Hash (PtH) Attacks and Other
Credential Theft Techniques, provides some simple, practical, yet effective mitigations that
most customers could implement without any major changes to their infrastructure.
The previously recommended mitigations were ranked by priority. The first mitigation
advises customers to protect high-privileged domain accounts, the second to protect
the local administrator account, and the last to use the local Windows Firewall to
restrict inbound access from unauthorized computers or applications. Improvements
in Windows 8.1 and Windows Server 2012 R2 support these mitigations through the
use of new functionality.
Trustworthy Computing 29
Mitigation 1: Restrict and protect high-privileged domain accounts
Prior to Windows Server 2012 R2, this mitigation could not technically be enforced at domain
controllers. Restricting privileged accounts from authenticating to less-trusted computers
can now be accomplished through authentication policies and silos. This mitigation requires
domain controllers to be upgraded because this functionality cannot be backported to
previous versions of Windows Server. This mitigation employs Kerberos policies and requires
administrators to use the Protected Users group that allows only Kerberos authentication and
provides added security to the accounts it contains. See “Authentication policies and silos“ for
more information, considerations, and feature limitations.
Windows features
Windows 8.1 and Windows Server 2012 R2 include a number of features that customers
can use to restrict and control exposure of credentials. Some of the features described here
can only be used effectively in fully upgraded environments, some are available in mixed
environments with domain controllers running Windows Server 2012 R2, and a few are
available in legacy environments running earlier versions of Windows. The “Applicability
summary for mitigations” section explains these options in detail. These features are
natively available on Windows 8.1 and Windows Server 2012 R2 and are available through
Windows update for other versions. For more information, see the Microsoft Security
Advisory 2871997: Update to Improve Credentials Protection and Management.
Trustworthy Computing 31
These features and platform enhancements are designed to help prevent an attacker
from stealing or using stolen credentials.
LSA protection-theft
Domain requirements:
None
Security identifiers (SIDs) uniquely identify individual users, groups, and other security
principals for access control and management purposes. This feature adds two new
well-known SIDs that can be used to select local accounts:
With earlier versions of Windows, customers had to select local accounts explicitly when
applying network logon restrictions, which often meant deploying scripts or other
tools to identify local accounts and groups. Organizations can use the new SIDs to
block network logon for local users and groups by account type, regardless of what the
local accounts are actually named (for example, deny access to the computer from the
network in Mitigation 2). This feature helps prevent an attacker from using stolen local
account credentials.
Domain requirements:
None
Previous Windows releases were susceptible to session leaks that allowed credentials
to remain in LSASS after users signed out. This susceptibility was particularly a problem
when applications impersonated another account and failed to terminate the session
after closing, which allowed credentials to remain in memory after users had initiated
the logoff process. New mechanisms have been implemented to eliminate session
leaks in LSASS, thereby preventing credentials from remaining in memory. This feature
helps prevent credential theft.
Feature limitations
This feature does not attempt to clean up all credentials stored locally after a user
logs off—only credentials stored in LSASS memory. There are still several of other
application and user credentials that an attacker could obtain from a compromised
computer. Microsoft encourages and supports secure development of applications (see
Security Development Lifecycle), but attack vectors will depend on how applications
handle or cache access credentials.
Domain requirements:
None
Earlier versions of Windows stored LAN Manager (LM) hashes in LSASS for passwords
that were compatible with LM (up to 15 characters long containing only ASCII
characters), even if the Group Policy setting Network Security: Do not store LAN
Manager hash value on next password change prevented LM hashes from being
stored in the local Security Accounts Manager (SAM) database or Active Directory
Domain Services (AD DS) database. LM hashes can be easily brute-forced to obtain a
plaintext password if an attacker manages to obtain these hashes from LSASS during a
session. These legacy hashes are no longer stored in LSASS. This feature helps prevent
credential theft.
Trustworthy Computing 33
Feature limitations
Although LM hashes have been removed from the platform by default, this
change does not prevent an attacker from obtaining plaintext passwords
through other means such as keystroke logging or brute-forcing a captured
NT hash. Although NT hashes are significantly more secure, they can still be
brute-forced in a matter of hours if the corresponding password is weak.
Domain requirements:
None
Microsoft Account * ** ~
New defaults Local Account * ** ~
Domain Account * ** ~
Protected Users ~
New features
Restricted Admin RDP
(RDP Session Host)
~ Only if installed
Password data in memory
** Off by default on Windows 8.1 and Windows Server 2012 R2 No password data in memory
* Off by default
Domain requirements:
None
System administrators and helpdesk personnel often use Remote Desktop Protocol
(RDP) to provide remote assistance to computer users. If a computer has been
compromised by an attacker, connecting to the compromised computer remotely with
RDP creates a risk that the attacker can obtain the remote user’s credentials and use
them to access other systems. To mitigate this risk, RDP has been updated to support
authentication without providing credentials to the RDP Session Host. This feature is
limited to accounts that have administrative rights on the remote host and supports
both NT LAN Manager (NTLM) and Kerberos protocols for authentication. This feature
helps prevent credential theft on the remote host.
Trustworthy Computing 35
Figure 8:
Remote Desktop
Restricted Admin
After applying the Windows updates 2973351 and 2975625, this feature
is disabled by default and can be enabled through a GPO. Customers can
enable and configure Restricted Admin mode by creating registry key
settings in HKLM\System\CurrentControlSet\Control\Lsa\:
• Creating this value and setting it to 1 will disable the use of the
machine account credentials for outbound connections in this mode.
If the target host does not support this feature, administrators will get
the following message: “The remote PC doesn’t support Restricted
Administration mode.”
Feature limitations
Because Restricted Admin Mode accepts standard Kerberos or NTLM
authentication on the remote host instead of requiring plaintext credentials,
enabling this feature can create additional risk in an environment in which
security best practices are not being followed. An attacker could use a modified
Remote Desktop client to gain access to a host using this feature, provided that
the attacker has network connectivity and credentials (TGT or account name with
associated NT hash) for an account with administrative permissions on the host.
Following security best practices such as those described in this paper and
the previously referenced white paper Mitigating Pass-the-Hash (PtH) Attacks
and Other Credential Theft Techniques can help mitigate these limitations and
significantly reduce the risk that attackers can gain access to administrative
credentials. Nevertheless, administrators should be aware of the potential
risk that Restricted Admin Mode might introduce if used in an environment
without best practices and other mitigations that limits the availability of
credentials to attackers.
Available on:
Windows 8.1, Windows Server 2008 R2
Domain requirements:
Windows Server 2012 R2 Domain Functional Level (DFL), which requires all
domain controllers to be upgraded to Windows Server 2012 R2.
Trustworthy Computing 37
Members of the Protected Users group cannot authenticate using NTLM,
Digest Authentication, or CredSSP. Users joined to this group will not use
cached logon password verifiers causing a logon event on the domain
controller for every interactive authentication. For more information on using
events for detection, see ”Detect PtH and related attacks.”
Members of this group are also restricted to strong encryption types during
the Kerberos pre-authentication process and cannot use the weaker DES
and RC4 encryption types. In addition, members of this group cannot be
delegated using constrained or unconstrained delegation of authentication.
The ticket lifetime for Protected Users is set by default to four hours, but
authentication policies can increase or decrease this lifetime. After the TGT
lifetime expires, users need to authenticate to renew the TGT.
Figure 9:
Creating
authentication
policies and silos
For more
information...
see Protected Users
Security Group.
More information
on retiring NTLM
can be found in
the Auditing and
restricting NTLM
usage guide on
Microsoft TechNet.
Feature limitations
This feature will not protect users from interactive sign-on to a compromised
host. Protected users cannot authenticate if Kerberos is not working
appropriately. All protected user accounts must be able to function in a Kerberos-
only configuration without falling back on NTLM authentication. Accounts that
require delegation should not be added to the protected users group, because
delegation is not supported for members of this group.
▪▪User
▪▪Computer
▪▪Managed Service Account
▪▪Group Managed Service Account
Support for both User Managed Service Account and Group Managed
Service Account are referred to as Services in the user interface. These
authentication policies are meant to be used in combination with Protected
User accounts.
This feature helps prevent credential theft and use of stolen credentials by
limiting where accounts may log on. Accounts may be restricted to logging
on to designated computers, limiting the usefulness of the credentials to
access other resources if stolen.
Note that this requires GPOs to enable both KDC (Key Distribution Center)
and Kerberos Client support for claims, compound authentication, and
Kerberos armoring.
Feature limitations
Authentication policies and silos require Kerberos and the Protected Users
group to ensure that restrictions are effective and not circumvented with
NTLM authentication. Authentication policies and silos should not include
domain controllers, because doing so could result in all other accounts being
unable to authenticate to the domain controller. See “Sample scenarios“ for
guidance on domain administration.
Trustworthy Computing 39
LSA protection
Available on:
For more
Windows 8.1 and Windows Server 2012 R2 information...
Domain requirements: on how to turn the
None LSASS process into
a protected process,
Windows 8.1 allows the LSASS process to be turned into a protected process. see Configuring
This feature prevents other processes (including processes running as Additional LSA
SYSTEM\Administrator) that are not signed by Microsoft from an approved Protection on
certification authority (CA) from tampering with the LSASS process. This TechNet. Microsoft
approach means that some attack tools, even when running as SYSTEM, will encourages
be unable to steal credentials from the LSASS process. This feature helps vendors to have
prevent credential theft. their LSA plug-ins
signed. For more on
Feature limitations this program, see
Protected process for LSASS is not a security boundary and should not LSA plug-in signing.
be used as a comprehensive mitigation; it is designed to make credential
harvesting harder but not impossible. This feature currently can be defeated
through a number of known means. Additionally, credentials may be
stored outside of LSASS in applications or Credential Manager and could
be obtained by an attacker. Ultimately, the only current way to prevent an
attacker from stealing privileged credentials from a system is to ensure that
the system never receives privileged credentials in the first place.
Domain requirements:
None
Although most of the changes in Windows 8.1 discussed in this paper are
designed to help administrators mitigate the risk of credential theft, the
Automatic Restart Sign-On (ARSO) feature introduced in Windows 8.1 creates
a new attack vector for credential theft if enabled. The ARSO routine is
designed to allow Windows lock screen notification (for example, an alarm
clock or calendar notifications that appear on the device’s lock screen) to
continue functioning when the device automatically installs updates and
reboots in the user’s absence. To achieve this experience, Windows must
temporarily store the logged-on user’s encrypted credentials to local storage
while the device restarts, and then use them to log the user back on and lock
the device. This approach makes any important notifications immediately
visible to users when they return to the device. However, an attacker may be
able to gain access to the credentials during the period when they are stored.
Figure 10:
Automatic restart
sign-in
For more
information...
about ARSO,
see Winlogon
Automatic Restart
Sign-On (ARSO) on
Microsoft TechNet.
Trustworthy Computing 41
Applicability summary for mitigations
*Remote Desktop service (RDP Session Host) support for this feature is only available on Windows 8.1 and Windows Server 2012 R2.
Sample scenarios
This section describes common IT scenarios, strategies, and recommendations to
reduce the risk of credential theft. For some scenarios, it also recommends when to
implement mitigations such as RDP with Restricted Admin mode, authentication
policies and silos, and the Protected Users group. General considerations are provided
for Business group isolation and bring your own device (BYOD) scenarios.
Helpdesk
Domain administration
Service accounts
Trustworthy Computing 43
Helpdesk
Helpdesk support accounts are high-value accounts and an attractive target for
adversaries. These accounts typically have administrative access on most or all user
workstations to resolve support issues.
Risks: This scenario could result in an attacker gaining access to credentials with more
privileges than the credentials that are typically available on the target computer.
When planning support processes and technology, customers should consider the
following risk factors:
▪▪The user is not malicious, but the computer has been compromised by an attacker.
▪▪The user is malicious, and is inducing the support staffer to authenticate to the
compromised host to gain access to their domain credentials.
When the user is malicious or the computer has been compromised, exposing
credentials to the computer could enable an attacker to obtain credentials that could
be used to authenticate to other computers and escalate privileges. Using accounts
with unnecessary user rights or from a non-designated workstation increases the risk.
Use hardened and restricted hosts. Enable helpdesk administrators to perform their
work from hardened workstations that are constantly monitored for security events.
Ensure these recommended security practices are enforced on these workstations.
• Ensure that the password for the local administrator account for these
workstations are each unique.
• If possible, limit the administrative accounts from accessing the Internet while
allowing the nonprivileged user accounts to have Internet access.
Create authentication policies and silos. If the organization can use the Protected
Users security group, they can create authentication policies and silos to constrain
the helpdesk administrator accounts to obtain Kerberos TGTs only on the hardened
workstations. Doing so will help limit exposure of these accounts and ensure that any
compromised helpdesk accounts cannot be used outside this defined scope.
This approach would still allow the use of Remote Desktop with Restricted Admin
mode to manage user workstations outside of the silo, because only Kerberos service
tickets are required to connect to a remote host. If combined with monitoring, this
approach could also flag potential misuse.
Domain administration
Organizations generally require certain administrators to have privileged access to
domain controllers to maintain the organization’s computing infrastructure. While
organizations are advised to delegate other functions of domain administrator (DA)
and enterprise administrator (EA) groups, Microsoft recognizes that the use of these
privileges is frequently unconstrained. Accounts with these privileges are often used to
administer Active Directory accounts and other objects in the forest.
Risks: DA or equivalent accounts are high-value targets because they can enable
an attacker to compromise an organization’s entire Active Directory environment.
Customers should consider these risk factors:
▪▪The organization does not monitor DA accounts for anomalous behavior or usage.
▪▪These accounts are assigned to vendors and other support staff outside the organi-
zation, without ensuring third-party compliance with best practices.
Trustworthy Computing 45
Use hardened and restricted hosts. Require that DA and equivalent accounts perform
their work only from hardened workstations that are consistently monitored, and ensure
that security best practices are enforced in the use of these workstations. See the “Create
hardened and restricted administrative hosts” section for more details. Also ensure that the
password for the local administrator account for these workstations is unique.
Implement security monitoring Monitor the usage of these privileges carefully and
investigate anomalous behavior rapidly. Monitoring and investigation can be accomplished
with a combination of processes and tools that enforce just-in-time access, access hours, and
automatic account monitoring or similar mechanisms.
Add accounts to Protected Users security group. If Kerberos is fully supported for their
tasks and domain controllers have been upgraded, add all these DA accounts to the
Protected Users group to ensure added security for these accounts.
Create authentication policies and silos. Create authentication policies and silos to
define constraints on the use of DA accounts. Doing so will help ensure that if accounts
are compromised, they cannot be used outside their defined scope (authenticate from
a designated administrative workstation to a domain controller). If combined with
monitoring, this approach could flag potential misuse. For more information about
how to do this, see How to Configure Protected Accounts on TechNet.
Risks: Much like DA accounts, accounts that are used for operations management
are highly sought after by attackers because they provide significant access to an
organization’s data, systems, infrastructure, and services. The risks are very similar to
domain administrators, with exception of the scope of impact.
The usage requirement for accounts used to run a Windows service are typically
consistent. Windows Server 2008 R2 introduced the concept of the managed service
accounts, which are accounts that are tied to a specific computer and are automatically
set up and maintained with a complex password updated every 30 days by default.
Managed service accounts are exempt from domain password policies and cannot be
used to log on interactively.
Risks: Attackers frequently target service accounts for credential theft. The specific risks
associated with any given service account are directly related to:
Another common risk with using domain unmanaged service accounts is that passwords
will not be automatically generated or managed, which often results in weak passwords,
password reuse, and passwords that are valid for months or years. Changing the
password for a service account can frequently incur the risk of service downtime, which
increases the chances that service account passwords are not changed frequently.
Grant the least privilege. For all service accounts, grant the least privilege to the
accounts that is required by the application. Accounts should start with standard user
privileges and only be granted privileges on hosts and in Active Directory Domain
Services as required by the application. This privilege level will vary by application, but
several general rules should be followed:
Trustworthy Computing 47
▪▪Service accounts should never be granted membership in Domain Admins,
Enterprise Admins, Schema Admins, Account Operators, or BUILTIN\Administrators.
In rare cases, exceptions can be made for applications that manage Active
Directory Domain Services, but these groups should never be used to grant local
administrative privileges on hosts. Features such as restricted groups and Group
Policy preferences should be used to grant access to multiple hosts instead. For
more information, see Local Users and Groups Extension.
▪▪For accounts that can be configured to use Network Service or Local Service, use
one of these accounts rather than Local System. For more information see Service
User Accounts.
Use managed service accounts. Whenever possible, use managed service accounts so
that passwords for the accounts are set and managed automatically. This mitigation is
appropriate for accounts that run Windows services, but is not applicable for accounts
that applications use to perform tasks (which require the application to store the
account password). Create and use managed service accounts with the default managed
service account container. For more information, see Managed Service Accounts
(documentation for Windows 7 and Windows Server 2008 R2) or Group Managed
Service Accounts Overview on TechNet.
Change passwords regularly. For service accounts whose passwords are not
automatically managed with a tool or by the managed service account process,
organizations should design a process to regularly change these passwords and follow
these procedures.
Monitor service account activity. Monitoring should also be in place if such accounts
are used in an enterprise to ensure that they do not move from one assigned area of the
network into another (which suggests that they have been compromised by an attacker).
Contain credential exposure. Ensure that the service accounts are compliant with
the tiered model described earlier in this paper. For unmanaged service accounts,
organizations can create authentication policies and silos to define network constraints
in their use. Doing so will ensure that if accounts are compromised, they cannot be used
outside their defined scope. If combined with monitoring, this approach could flag
potential misuse. Service accounts should be limited to the required hosts and accounts
used for a particular service or application. For more information about how to accomplish
this configuration, see How to Configure Protected Accounts on TechNet.
Note: Do not add service accounts used to run Windows services to the protected
users group. Services and hosts need to access long-term keys to decrypt service
tickets from clients. Protected users discard keys so all inbound connections would
fail to these services and hosts. Service accounts used exclusively for outbound
authentication, such as those used by an application to perform actions on remote
hosts are potentially good candidates for this protection.
Considerations:
▪▪Ensure that use cases for users, applications, and accounts are well defined.
▪▪Configure hosts in the department or workgroup to adhere to an assurance
standard that includes elements described in the “Create hardened and restricted
administrative hosts“ section.
▪▪Restrict users that have access to sensitive data from logging on to computers
outside their department. Consider implementing restrictions based on the Tier
Model described in the “Protect against known and unknown threats“section.
▪▪Consider blocking Internet access from the hosts and providing Internet browsing
through a separate computer, such as a server hosting the browser in Remote
Desktop Protocol (RDP) sessions.
▪▪Ensure that business groups do not share accounts or passwords outside the
isolated business group.
▪▪Ensure that the local administrative passwords on workstations and servers are
different from that of other hosts.
This section contains guidelines and considerations for the BYOD scenario related to
credential theft. This section is not comprehensive for all BYOD design considerations and
Microsoft advises customers to perform extensive planning and testing for this scenario.
The risks related to allowing BYOD devices to connect to resources varies depending
on the strategy adopted by the organization and the type of device. Because
organizations do not have exclusive control over the policy and configuration of these
devices, they should be considered high-risk.
Considerations:
▪▪Ensure that the use cases and policies for BYOD are well defined.
▪▪Ensure that the risks of allowing BYOD devices to access and store corporate data
are fully understood and accepted by stakeholders.
▪▪Ensure that BYOD devices are not used for administrative tasks and administrative
users don’t log on to BYOD devices.
Trustworthy Computing 49
▪▪Ensure that high business impact (HBI) data is not being stored on these devices,
and that accounts with access to HBI data are not used on them.
▪▪Ensure that users don’t use the same password between corporate and personal
accounts on the devices.
The determined adversaries who conduct targeted attacks will continue to evolve
rapidly, as will the threat landscape. Determined adversaries will adapt to the defenses
of targeted organizations and seek out new ways of exploiting systems and the people
who operate and maintain them. It is crucial to recognize that a comprehensive
defense approach is needed and that organizations should be prepared to defend
against these threats.
Trustworthy Computing 51
References
References made in this paper include the following:
How to change the default permissions on GPOs in Windows Server 2008 R2,
Windows Server 2008, Windows Server 2003, and Windows 2000 Server
http://support.microsoft.com/kb/321476
Approving Updates
http://technet.microsoft.com/en-us/library/cc708458(v=ws.10).aspx
Trustworthy Computing 53
LSA plug-in signing
http://msdn.microsoft.com/en-us/library/windows/hardware/dn629520.aspx
KRBTGT account
http://technet.microsoft.com/en-us/library/dn745899.aspx#Sec_KRBTGT
Azure Active Directory Identity and Access Management for the Cloud
http://azure.microsoft.com/en-us/services/active-directory/
BitLocker
http://technet.microsoft.com/en-us/library/dn641993.aspx
Several enterprise solutions exist that facilitate host isolation and credential
management; other solutions can facilitate the handling of security events.
Internet protocol security (IPsec) allows not only isolation but also
For more network-level peer authentication, data origin authentication, data integrity,
information... and data confidentiality through encryption and replay protection.
on deploying
• Pros: Hard isolation boundary protects against network-based attacks.
IPsec is available • Cons: Difficult to set up, requires maintenance if IP addressing changes.
in Networking and
Access Technologies:
IPsec on TechNet.
▪▪Temporary admin privileges, password management, and security
policy enforcement can be done with a number of tools, including
Forefront Identity Manager.
Trustworthy Computing 55
Security information and event management (SIEM) solutions allow organizations
to automatically detect threats. By processing high log volumes, classifying events
and indexing, these tools can enable watchdogs on specific events that could enable
organizations to detect specific threats. There are no Microsoft solutions currently
available to support this requirement, but many third-party tools are available.
• Cons: There are limitations on events that can currently be monitored for
credential theft. Customers are advised to implement mitigations and strategies
to restrict scope and create watchdogs on deviation. Another important
consideration is that some devices are not real-time devices and have capacity
limitations. Check with third-party manufacturers for tool specifications.
Figure 11:
Admin forest
Trustworthy Computing 57
• Selective authentication should be used to restrict accounts in the
admin forest to only logging on to the appropriate production hosts.
For maintaining domain controllers and delegating rights in Active
Directory, this typically requires granting the “Allowed to logon” right
for domain controllers to designated Tier 0 admin accounts in the
admin forest. See Configuring Selective Authentication Settings for
more information.
One caveat to using this group to grant rights is that they won’t have
administrative access to new group policy objects by default. This can
be changed by following the procedure in this knowledge base article
to change the schema default permissions: http://support.microsoft.
com/kb/321476
• Accounts in the admin forest that are used to administer the production
environment should not be granted administrative privileges to the
admin forest, domains in it, or workstations in it.
• The administrative forest hosts should have the latest operating systems
installed, even if this is not feasible in production.
• The administrative workstations and server hosts should follow all guidance For more
in the “Create hardened and restricted administrative hosts” section information...
• The applications required for performing administration should be pre- see Deploy
installed on workstations so that accounts using them don’t need to
Remote Server
be in the local administrators group to install them. Domain Controller
Administration Tools
maintenance can typically be performed with RDP and Remote Server
Administration Tools.
▪▪Account hardening
• Multi-factor authentication should be configured for all accounts
in the admin forest, except one account. At least one administrative
account should be password based to ensure access will work in case
the multi-factor authentication process breaks. This account should be
protected by a stringent physical control process.
For more
information...
see Settings for Note: This can interrupt operations in progress that are using this account,
default local so this process should be initiated only when administrators won’t be
accounts in Active using the account, such as at night or on weekends.
▪▪Detective controls
Directory.
Trustworthy Computing 59
60 Mitigating Pass-the-Hash and Other Credential Theft, version 2